Privacy Regulation and Audiology (I)

Geoffrey Cooling guides us through thelegislation, requirements and implications for audiology clinics and businesses.

A major business threat

While most of our focus has been on a changing market and changing technology, most of us within the profession seem to have missed one of the biggest threats to our industry ever. I know that I did until recently, and considering the lack of conversation about it, I would assume so did nearly everyone else. What am I speaking about, a new player, a new technology, a new internet strategy? No, it is a privacy regulation

Our lifeblood within this profession is returning customers and sales to people who didn’t buy first time. In order to make this happen, we need to be able to contact them. The GDPR ensures that if you do so without implicit permission, it could be fatal for your business.

Meet GDPR

In this the first of a couple of articles, I would like tointroduce you to General Data Protection Regulation(GDPR) and explain why it could be devastating toyour business if you don’t take action. GDPR is a newEU privacy regulation that was agreed in 2016 and willcome into effect in 2018.

BREXIT probably won’t save you

While BREXIT is looming, it will, in fact, have little effect on GDPR in the short term. I believe that even if a full hard BREXIT happens, UK businesses will have to deal with GDPR, probably under a different name. The UK Government has championed the regulation and is expected to adopt it even if they completely separate from the EU.

Before I outline the act and what it means, I want to assure you that this regulation covers your business. It covers every business from a one-man show to a multi-national once they keep data on their customers.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

Coming Your Way May 2018

As I said, the regulation was adopted on 27th April 2016. However, it becomes enforceable from 25 May 2018 after a two-year transition period. Unlike a directive, it does not require national governments to pass any enabling legislation and is thus directly legally binding and applicable.

The GDPR does not just cover data within the EU, it also covers the export of personal data outside the EU. The regulation was framed to give EU Citizens and residents control over their personal data. It is also designed to simplify the regulatory environment.

All Organisations

For all organisations of any size, it will mean establishing clear procedures around consent and having a legal basis for gathering data, especially in the digital world. It also means that consumers will have the right to ask for access to data held on them and have it changed or erased.

Ultimately, every business will need to reconsider how they communicate with customers, how they gather data and how they organise that data into an effective audit trail.

The Scope

The regulation applies if the data controller (that’s you) or processor (Sycle, IPRO, Audidata etc, basically any customer data management system) or the data subject (person) is based in the EU. However, the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

Surprisingly some of the Patient management systems that we use every day are not GDPR compliant. Although I have no doubt that they are working towards it. In fact, the only two I am sure are compliant are the systems offered by Audidata and iPro. I plan to send a questionnaire to all of the Patient Management Software Providers to assess their readiness.

Defining personal data?

According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address.”

The Penalties

Under GDPR organizations in breach of the regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

There is a tiered approach to fines, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and the data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

What Now?

Simply put, you seriously need to consider not just your handling of data. But also why you gather data. You also need to consider the security of any personal data collected. As I said, that includes paper records. This isn’t just about digital. The GDPR covers all records that include customer information. That means your Patient record cards, your customer lists, your Patient management systems, pretty much any record with their details on it.

Big Fines

If you are found to have breached the regulation, it will involve a pretty big fine. A fine big enough, to possibly put you out of business. Any breach could also lead to legal action from a consumer which could definitely destroy your business.

The UK privacy body has indicated that the regulation will come into effect in May, however, they want to work with businesses as opposed to hand out big fines. They say in the instance of a problem arising, if you work with them and show that you have at the least taken steps to meet the requirements they will be happy to deal with the issue in a more friendly manner.

Opt-In consent

In our daily jobs, we meet prospective customers,during that consultation we fill in a record card. Every record card is a mix of medical record and private information. It is implicitly understood that we will keep that record card on file. Implicit and in fact we have a legal duty to retain medical records. However, implicit understanding is no longer good enough. Implicit understanding is the basis of what is called an Opt Out system.

By that I mean they know we are keeping the record and if they don’t want us to, they need to tell us not to. The GDPR changes all of that, Opt Out is no longer acceptable, all data capture systems need to be Opt-In. So you need to get their explicit consent to record and keep the data. However, and this is the crux for any commercial hearing healthcare organisation, that basis does not cover contacting a person for marketing purposes. While there are legal or even contractual basis for many things we do in the hearing healthcare profession, getting simple implicit consent is the easiest way to cover all bases.I for one, would not like to be the test case to set precedent for a five year new technology letter without implicit consent signed by the customer.

Providing Additional Information

Under the GDPR, to get consent, additional information mustbe communicated to individuals in advance ofprocessing, such as the legal basis for processing thedata, retention periods, the right of complaint wherecustomers are unhappy with your implementation ofany of these criteria, whether their data will be subjectto automated decision making and their individualrights under the GDPR. The GDPR also requiresthat the information is provided in concise, easy tounderstand and clear language.

Clear Easy To Understand Language

In order for you to meet the requirements of usingCustomer Consent as a basis for Data Collection, youneed to use clear unambiguous language to gain thatconsent. That language needs to explain why you arecollecting the data and what you are going to do with it.The consent they give you needs to be auditable, sothat means written consent that is filed and kept. If theconsent is not auditable, you are not compliant. If thelanguage you used to get the consent was not clear ordid not cover every use case for the data, you are notcompliant.

Data security and storage

Data security is perhaps not something that weconsider in our business. I figure that many of us thinkthat the management systems have it sorted andgenerally leave it at that. That can no longer be the case. We need to think clearly about data security anddata access.

Noah can be secured with a password and differentlevels of access security for different users. I wonderhow many of us use a secure password? How manyof us actually set up different levels of users when weneed to give access to receptionist staff or hearinghealthcare assistants?

When we set up backups for Noah, do we make surethey are encrypted and secure? Do we store themsecurely on-site or off-site? If we use cloud storagefor back up of Noah, we now need to make sure thatit is a secure storage facility that is compliant with theregulations.

Are your patient record cards stored securely? Whohas access to them and do they need access to them?If you regularly type up and send medical reports, doyou make sure that the digital records of those reportsare kept securely? Do you encrypt medical reports onyour machine? If you keep hard copies are they keptsecurely?

After a patient has passed away, do you destroy theirrecords? If so, how exactly do you do it? How longshould you keep them for? How in fact should theybe destroyed? Should they now be destroyed in averifiable manner?

Patients right to access data

Under the GDPR a customer has more rights to accesstheir data. I think this is something that we may nothave considered. You need to ensure that you haveprocedures in place to cover all the rights individualshave, including how you would delete personal dataor provide data electronically and in a commonly usedformat.

The rights for individuals under the GDPR include:

• subject access
• to have inaccuracies corrected
• to have information erased
• to object to direct marketing
• to restrict the processing of their information

including automated decision-making

• data portability

Right to forget

If a customer asks that you delete their data ordestroy their data. Can we do it legally? If so, it needs to beundertaken in a verifiable manner, all of the data needsto be deleted, all of the records need to be destroyed.These are just a few of the considerations we need tocover. Unfortunately, we need to do it quite quickly. Inthe next article, I will outline more or less exactly whatyou need to start looking at and how you might achievecompliance.